Android Trojan Banking App Targets Master Key Vulnerability

Security researchers have spotted a legitimate banking app for Android smartphones and tablets that has been "trojanized" using the so-called master key vulnerability. That flaw, which affects all versions of Android prior to version 4.2.2, can be used by attackers to inject malicious code into a digitally signed, legitimate Android app.

In this case, attackers have been offering a trojanized update for a legitimate online banking app distributed by South Korea's NH Nonghyup Bank. The Android app is used by up to 10 million people.

Running the malicious app triggers a screen asking users to enter their account details. "Should the user comply, their information would be sent to a remote malicious server controlled by the cybercriminal," said Peter Yan, a Trend Micro mobile security engineer, in a blog post. In other words, people who fall for the attack would be likely targets for cybercriminals trying to drain their bank accounts

... Read full story on InformationWeek